Azure VPN and UDR

This is a tricky one to explain - but basically i have a point2site VPN to Azure.

My Azure VNET is carved into multiple subnets, for 1 of the subnets (MGMT) i have route defined to for 0.0.0.0/0 with the next hop as the CloudGuard. Any VMs on this subnet can access internet via the cloudguard and can access other subnets without any problems.

The problem i have is that when i connect my Point2Site VPN i cant RDP to a VM on the MGMT subnet. I can RDP to any other subnet and i can even RDP from the MGMT subnet to any other subnet.

In the logs i can see the connection being dropped, but doesn't specify the rule thats dropping.

I am, not being very proficient in Azure but OK with AWS, would like to clarify something:

Do Asure UDRs allow you to setup routes that depend on protocols or port numbers?

If yes, which is pretty doubtful, they are still just routes external to the instance (or VM) that you are trying to connect to.

If your default gateway (CloudGuard) is defined in UDR and you want to use RDP coming from different source, you may have to hard code the return rout in the OS of the system that you are trying to access.

I recommend you following that packet step by step to understand what is going on. Something that could happen is that the RDP answer is getting to the gateway through a different interface which might be enough as to drop that packet. Try also opening the log details to see if you find more information on the drop reason. I am still not sure I fully understood the flow you are trying, if you document the topology and flow with a diagram post it here and I am sure it will get more clear.

Thanks for the reply Javier. I will upload a diagram to try and make it clearer.

Ultimately i just want to route all subnet traffic out of the CloudGuard but continue to allow RDP traffic from the Point2Site VPN. It seems that when i setup the UDR for the MGMT traffic it drops RDP inbound.

The routes are below, but I'm confused because all the other subnets that dont have UDR, but contain the default routes can all RDP to the VPN Subnet and Vice Versa. So it is something to do with the UDR routing 0.0.0.0/0 to the cloudguard.

<because all the other subnets that dont have UDR, but contain the default routes can all RDP to the VPN Subnet and Vice Versa

In my opinion this is because the vnet route (10.10.224.0/22) is still valid, so traffic from/to subnets in this VNET is not routed to the cloudguard. You have to replace this route with a UDR, pointing to the cloudguard (and you have to do this in every subnet). After that, the traffic will be routed to the cloudguard (if this is what you want) ?